<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>JDBCSafetyListener xref</title>
<link type="text/css" rel="stylesheet" href="../../../../../../../stylesheet.css" />
</head>
<body>
<div id="overview"><a href="../../../../../../../../apidocs/net/big_oh/common/jdbc/event/listener/safety/JDBCSafetyListener.html">View Javadoc</a></div><pre>

<a class="jxr_linenumber" name="1" href="#1">1</a>   <strong class="jxr_keyword">package</strong> net.big_oh.common.jdbc.event.listener.safety;
<a class="jxr_linenumber" name="2" href="#2">2</a>   
<a class="jxr_linenumber" name="3" href="#3">3</a>   <strong class="jxr_keyword">import</strong> java.sql.SQLException;
<a class="jxr_linenumber" name="4" href="#4">4</a>   
<a class="jxr_linenumber" name="5" href="#5">5</a>   <strong class="jxr_keyword">import</strong> net.big_oh.common.jdbc.event.SQLExecutionEvent;
<a class="jxr_linenumber" name="6" href="#6">6</a>   <strong class="jxr_keyword">import</strong> net.big_oh.common.jdbc.event.listener.JDBCEventAdapter;
<a class="jxr_linenumber" name="7" href="#7">7</a>   <strong class="jxr_keyword">import</strong> net.big_oh.common.utils.RegExpHelper;
<a class="jxr_linenumber" name="8" href="#8">8</a>   
<a class="jxr_linenumber" name="9" href="#9">9</a>   
<a class="jxr_linenumber" name="10" href="#10">10</a>  <em class="jxr_javadoccomment">/**</em>
<a class="jxr_linenumber" name="11" href="#11">11</a>  <em class="jxr_javadoccomment"> * </em>
<a class="jxr_linenumber" name="12" href="#12">12</a>  <em class="jxr_javadoccomment"> * A JDBCEventListener that prevents the execution of dangerous SQL by throwing</em>
<a class="jxr_linenumber" name="13" href="#13">13</a>  <em class="jxr_javadoccomment"> * an instance of SQLException.</em>
<a class="jxr_linenumber" name="14" href="#14">14</a>  <em class="jxr_javadoccomment"> * </em>
<a class="jxr_linenumber" name="15" href="#15">15</a>  <em class="jxr_javadoccomment"> * @author davewingate</em>
<a class="jxr_linenumber" name="16" href="#16">16</a>  <em class="jxr_javadoccomment"> * @version Aug 22, 2009</em>
<a class="jxr_linenumber" name="17" href="#17">17</a>  <em class="jxr_javadoccomment"> */</em>
<a class="jxr_linenumber" name="18" href="#18">18</a>  <strong class="jxr_keyword">public</strong> <strong class="jxr_keyword">class</strong> <a href="../../../../../../../net/big_oh/common/jdbc/event/listener/safety/JDBCSafetyListener.html">JDBCSafetyListener</a> <strong class="jxr_keyword">extends</strong> <a href="../../../../../../../net/big_oh/common/jdbc/event/listener/JDBCEventAdapter.html">JDBCEventAdapter</a>
<a class="jxr_linenumber" name="19" href="#19">19</a>  {
<a class="jxr_linenumber" name="20" href="#20">20</a>  
<a class="jxr_linenumber" name="21" href="#21">21</a>  	@Override
<a class="jxr_linenumber" name="22" href="#22">22</a>  	<strong class="jxr_keyword">public</strong> <strong class="jxr_keyword">void</strong> beforeSQLExecution(<a href="../../../../../../../net/big_oh/common/jdbc/event/SQLExecutionEvent.html">SQLExecutionEvent</a> event) <strong class="jxr_keyword">throws</strong> SQLException
<a class="jxr_linenumber" name="23" href="#23">23</a>  	{
<a class="jxr_linenumber" name="24" href="#24">24</a>  		
<a class="jxr_linenumber" name="25" href="#25">25</a>  		<strong class="jxr_keyword">for</strong> (String sqlCommand : event.getSqlCommands())
<a class="jxr_linenumber" name="26" href="#26">26</a>  		{
<a class="jxr_linenumber" name="27" href="#27">27</a>  			
<a class="jxr_linenumber" name="28" href="#28">28</a>  			<em class="jxr_comment">// prevent execution of DELETE statements with no WHERE clause</em>
<a class="jxr_linenumber" name="29" href="#29">29</a>  			<strong class="jxr_keyword">if</strong> (RegExpHelper.matches(sqlCommand.toUpperCase(), <span class="jxr_string">"^DELETE&#92;&#92;s.*"</span>) &amp;&amp; !RegExpHelper.contains(sqlCommand.toUpperCase(), <span class="jxr_string">"WHERE"</span>))
<a class="jxr_linenumber" name="30" href="#30">30</a>  			{
<a class="jxr_linenumber" name="31" href="#31">31</a>  				<strong class="jxr_keyword">throw</strong> <strong class="jxr_keyword">new</strong> SQLException(<span class="jxr_string">"Cowardly refusing to excute a DELETE statement that has no WHERE clause.  Use the TRUNCATE command if you really want to remove all data from a table?"</span>);
<a class="jxr_linenumber" name="32" href="#32">32</a>  			}
<a class="jxr_linenumber" name="33" href="#33">33</a>  			
<a class="jxr_linenumber" name="34" href="#34">34</a>  			<em class="jxr_comment">// prevent execution of statements that look suspiciously like an SQL injection attack via inserted ";"</em>
<a class="jxr_linenumber" name="35" href="#35">35</a>  			<strong class="jxr_keyword">if</strong> (RegExpHelper.contains(sqlCommand, <span class="jxr_string">";&#92;&#92;s*&#92;&#92;w+"</span>)) {
<a class="jxr_linenumber" name="36" href="#36">36</a>  				<strong class="jxr_keyword">throw</strong> <strong class="jxr_keyword">new</strong> SQLException(<span class="jxr_string">"Cowardly refusing to excute a SQL statement that smells suspiciously like an SQL injection attack."</span>);
<a class="jxr_linenumber" name="37" href="#37">37</a>  			}
<a class="jxr_linenumber" name="38" href="#38">38</a>  			
<a class="jxr_linenumber" name="39" href="#39">39</a>  		}
<a class="jxr_linenumber" name="40" href="#40">40</a>  	
<a class="jxr_linenumber" name="41" href="#41">41</a>  	}
<a class="jxr_linenumber" name="42" href="#42">42</a>  
<a class="jxr_linenumber" name="43" href="#43">43</a>  }
</pre>
<hr/><div id="footer">This page was automatically generated by <a href="http://maven.apache.org/">Maven</a></div></body>
</html>

